The Board of Directors has ultimate responsibility over the Group’s Sustainability disclosures. Nonetheless, there are previous levels of decision-making in place to ensure the consistency, integrity and robustness of ESG data disclosures. This is the case of the Audit Committee, which is responsible for, among other things, monitoring the preparation and disclosure of both financial and non-financial information1. The Group’s CGSRC, as the specialised committee for sustainability issues, is also informed about the Group’s processes and diligences to ensure alignment with the sustainability reporting frameworks, such as the European Sustainability Reporting Standards, and about actions, both in place and planned, to ensure reporting consistency, robustness and integrity.
The Group’s Corporate Communications and Responsibility Division, supported by the Sustainability and ESG Relations Department, is responsible for the development, implementation and monitoring of our sustainability strategy and for the processes established by the Companies for collecting and processing data related to environmental and social sustainability. This Division is also responsible for providing regular sustainability updates to the CGSRC, the Audit Committee and the Board of Directors.
Our sustainability reporting control systems follow a similar approach to the financial reporting control system, although they have not yet reached the same stage of maturity. In fact, sustainability disclosures are externally verified through Limited Assurance, while financial disclosures are subject to Reasonable Assurance. It is our goal to work progressively towards ensuring that the level of assurance for sustainability matches the level of assurance for financial matters.
The management of risks related to sustainability reporting follows the methodology described below, consisting of eight sequential and interrelated phases:
The first phase, relating to planning and the annual reporting timetable, establishes the structure of the cycle through a plan that defines responsibilities, the reporting frequency of indicators and the update of the integrated materiality assessment;
The second phase, relating to data collection, ensures that information is collected through standardised templates, access controls and reporting frequencies adjusted to the level of risk (monthly, quarterly or annually);
In the third phase, validation is performed through calculation checks. The information is subsequently reviewed in accordance with the “four-eyes principle”, with the reviews documented;
This is followed by a cross-functional analytical review phase, which compares results across areas and reporting periods, establishing limits/thresholds to identify deviations that must be explained and supported by evidence;
In the consolidation and approval phase, the data are reconciled, consolidated and formally approved in accordance with the applicable authorisation matrix;
The reporting and disclosure phase ensures that all information complies with the reporting standards, as presented in “Reporting Frameworks”, ensuring that the final narrative is coherent and methodologically consistent;
This is followed by the external assurance phase, which acts as the final line of defence through an independent limited assurance verification, supported by documentation and testing provided to the auditor;
Finally, the continuous improvement phase integrates the recommendations of internal audit, external assurance and other internal reviews, consolidates action plans, monitors progress and reports periodically to the Audit Commission.
As previously stated, the scope of sustainability reporting has been significantly expanded over the years – we currently verify over 300 ESG-related indicators to different sustainability frameworks –, establishing a wider range of internal controls to support identification and mitigation of the risks related to data accuracy and completeness.
Seven risks were identified in the sustainability reporting process, each mitigated through structured controls recommended by the internal audit department. The first risk, relating to the reliability and completeness of the information, is mitigated through existing analyses and reviews, validation by multiple contributors and the correction of discrepancies, and is further reinforced through systematic cross-functional analysis, defined thresholds and the formal application of the “four-eyes principle”. The second risk, relating to non-compliance with international standards and local requirements, is managed through alignment analyses, specialised training, participation in working groups of associations of which the Group is a member, and prior external audits. The third risk, relating to the potential lack of structured documentation, is mitigated through an existing manual, the procedures of which continue to be strengthened, and through systematic data collection practices. These controls are further reinforced by detailing methodologies and controls, ensuring formal review cycles and maintaining continuous updates. The fourth risk, relating to the delayed identification of environmental, social or regulatory trends, is mitigated through external dialogue, previously conducted materiality assessments, and participation in working groups of associations of which the Group is a member. The fifth risk, relating to technological limitations, is mitigated through systems implemented for data collection and storage, as well as through ongoing technological initiatives aimed at strengthening reporting capabilities. With regard to the sixth risk, potential conflicts of interest, formal requirements for documenting the segregation of duties and evidence of independent review are added to the already clear distribution of responsibilities between teams as a mitigation measure. Finally, the seventh risk, relating to potential misalignment between the sustainability strategy and the business strategy, is mitigated through existing governance structures and the integration of sustainability at the executive level.
1 Information on the responsibilities of the Audit Committee is provided in point 30 “Identification of the Supervisory Body (Audit Committee) Corresponding to the Adopted Model”.